Is an apology necessary for posting Crack ? (Longish)
Alec David Muffett
myself, Kent Landfield and Frank O'Dwyer for the last week. With the
latter's permission, I reproduce it here (almost in full) for comment.
The discussion is over the ethics and manner of the posting of Crack,
the Unix password cracker, to USENET about a year ago, the wisdom of
this action, and the impact of it since. Was it a stupid, ill-informed,
or irresponsible action, or was it a matter of education of the public
and fulfilling a perceived need, moving with the times ?
The matter is thrown open for public discussion. Your views would be
appreciated.
alec muffett.
::::::::::::::::::::::::
From: Frank....@de.sni.mchp.sniap
Subject: Crack - why not *ask* *us* first?
To: aem (alec muffet),
ke...@com.sterling.imd.sparky (Moderator comp.sources.misc)
Date: Fri, 24 Apr 92 14:39:01 MET
X-Mailer: ELM [version 2.3 PL3]
I wanted to post the following, but outbound posts are broken
at our site...
------
Newsgroups: comp.sources.d,alt.security,comp.unix.admin,news.admin
>From the alt.security FAQ:
>Q.6 Isn't it dangerous to give cracking tools to everyone?
>
>That depends on your point of view. Some people have complained that
>giving unrestricted public access to programs like COPS and Crack is
>irresponsible because the "baddies" can get at them easily.
>
>Alternatively, you may believe that the really bad "baddies" have had
>programs like this for years, and that it's really a stupendously good
>idea to give these programs to the good guys too, so that they may check
>the integrity of their system before the baddies get to them.
>
>So, who wins more from having these programs freely available ? The good
>guys or the bad? You decide.
Hmmm.... Looks like the decision has already been taken. Wouldn't it
be polite to ask the net *before* freely distributing these tools?
(Apologies if this was done, but I didn't see it).
I have a really hard time justifying the free availability of the 'Crack'
program (To the uninitiated, "Crack" is a password guessing program
which is now freely available on the net. It is very good at guessing
passwords, and you should be very, very afraid.)
The standard argument of the-bad-guys-have-it-and-you-should-
have-it-too is tenuous in the extreme. I'm not a sysadmin, thankfully,
but if I were I would object to:
a) Having to devote enormous machine resources to checking
the integrity of /etc/passwd.
b) The possibility that any idiot could pick up this
program and merrily attempt to crack my system. We
must assume that at least some of the "bad guys" are
incapable of writing such a program.
The whole idea of Crack, if I have understood correctly, is
to prevent users using easily guessable passwords. Wouldn't it be
more sensible therefore to implement a so-called "fascist" /bin/passwd
replacement using the Crack dictionaries, rather than doing it
the CPU intensive way? Stops the same passwords, and perhaps some of
us would like to do some *useful* work with our computers.
Lastly, what about the poor sods who maybe have no USENET nor FTP access,
or don't read comp.sources, or missed the Crack post?
Apologies Alec - the program is great & I love the R.E.M. references,
but giving unrestricted public access to this program was plain *dumb*.
I simply can't see any good reason for it. Too late now, the damage
is already done - but next time why not *ask* us if we want to be
saved, and consider if there might be a better way to do it. Please!
--------------------------------------------------------------------------
Frank O'Dwyer Disclaimer:
Siemens-Nixdorf AG I will deny everything
::::::::::::::::::::::::
From: Kent Landfield <ke...@com.sterling.imd>
Subject: Re: Crack - why not *ask* *us* first?
To: Frank....@de.sni.mchp.sniap
Date: Fri, 24 Apr 92 9:46:52 CDT
Cc: aem
Frank,
> Hmmm.... Looks like the decision has already been taken. Wouldn't it
> be polite to ask the net *before* freely distributing these tools?
> (Apologies if this was done, but I didn't see it).
Programs like crack as well as other DES based tools have been available
on the Internet for years now. This was discussed heavily in response
to the Morris worm and with the rash of attempts and wanna-bees that
followed. The problem was trying to get these tools into the hands of the
good guys. The bad guys knew where they were and when the sources were
updated. Admins in the remote areas of the net (like Nebraska :-)) need to be
able to have access to these tools without having to make a career of searching
archives worldwide.
> I have a really hard time justifying the free availability of the 'Crack'
> program (To the uninitiated, "Crack" is a password guessing program
> which is now freely available on the net. It is very good at guessing
> passwords, and you should be very, very afraid.)
Yes, but the false sense of security they had before knowing of these
tools made their systems even less secure than they are now. Now, at least,
they have the ability to do something about it. The ability to do their
job better.
> The standard argument of the-bad-guys-have-it-and-you-should-
> have-it-too is tenuous in the extreme. I'm not a sysadmin, thankfully,
> but if I were I would object to:
>
> a) Having to devote enormous machine resources to checking
> the integrity of /etc/passwd.
A nice diff check of the password file allows you to check just the passwords
that changed. A diff check of the password file shows only the passwords that
have changed since the last check. This greatly reduces the resources needed
and crack can be niced down greatly. One of the problems that I have seen is
that users do not like to change their passwords that often making it even less
of a resource hog than you would imagine.
> b) The possibility that any idiot could pick up this
> program and merrily attempt to crack my system. We
> must assume that at least some of the "bad guys" are
> incapable of writing such a program.
Yes, but if you were running it as well you would not care... :-) They were
doing this before and the admins had no way on knowing how secure their front
line defense was... Now they do.
> The whole idea of Crack, if I have understood correctly, is
> to prevent users using easily guessable passwords. Wouldn't it be
> more sensible therefore to implement a so-called "fascist" /bin/passwd
> replacement using the Crack dictionaries, rather than doing it
> the CPU intensive way? Stops the same passwords, and perhaps some of
> us would like to do some *useful* work with our computers.
This is definitely the solution but to date it has not been done. I would
be willing to be a beta site if you are willing to spend the time doing it.
I would also love to post it to the newsgroup for all to use. The idea is
to get tools of this type into the hands of those who need to have them.
> Lastly, what about the poor sods who maybe have no USENET nor FTP access,
> or don't read comp.sources, or missed the Crack post?
Systems without International access already have a level of security built
in... :-) Crack is and has been available on comp.sources.misc archive
sites and it is listed each volume in the Index postings to c.s.misc.
It is available via email from many of those archive sites. More and more
references to it and its availability are appearing in security related
materials.
> Apologies Alec - the program is great & I love the R.E.M. references,
> but giving unrestricted public access to this program was plain *dumb*.
> I simply can't see any good reason for it. Too late now, the damage
> is already done - but next time why not *ask* us if we want to be
> saved, and consider if there might be a better way to do it. Please!
It was initially posted to solve an immediate need. The wolfs were banging
on the door of a lot of systems. It was common to hear in mailing lists and
newsgroups questions like "Have you seen this too ?". A major break in
occurred in the recent past that caused a lot of people a lot of grief. There
were very few people woking on security tools in a fashion that could be
immediately usable by those whose responsibility is system security and access.
This package helped to put another bolt on the doors and it focused the
community to begin seriously considering a solution to the problems. Yes a
proactive password checker is the answer and Matt Bishop has done some work
in this area. One day the vendors will distribute that as the standard passwd
program but until that day we need to be able to assure that security by
obscurity isn't making the sysadmins the ones in the dark.
-Kent+
Kent Landfield INTERNET: ke...@IMD.Sterling.COM
Sterling Software, IMD UUCP: uunet!sparky!kent
::::::::::::::::::::::::
To: "Frank.ODwyer" <Frank....@de.sni.mchp.sniap>
Cc: aem (alec muffet),
ke...@com.sterling.imd.sparky (Moderator comp.sources.misc)
Subject: Re: Crack - why not *ask* *us* first?
Date: Mon, 27 Apr 92 10:59:24 +0100
From: aem
>The whole idea of Crack, if I have understood correctly, is
>to prevent users using easily guessable passwords.
Wrong. That's a job for npasswd or passwd+.
>Wouldn't it be
>more sensible therefore to implement a so-called "fascist" /bin/passwd
>replacement using the Crack dictionaries, rather than doing it
>the CPU intensive way? Stops the same passwords, and perhaps some of
>us would like to do some *useful* work with our computers.
Cracks raison d'etre is to scare a) hell out of the Unix world and get
something done about the problem, and in the meantime b) help alert a
system manager to users on his/her system who choose bad passwords - or
system supplied passwords which have been forgotten about (ingres/ingres
???). Even NPasswd can do nothing if there is no user to change the
password.
Incidentally, the flexibility of Crack v4.? has inspired Clyde Hoover
and his npasswd team to new heights of programming achievement... all
will be revealed in npasswd 2.0 8-)
>Lastly, what about the poor sods who maybe have no USENET nor FTP access,
>or don't read comp.sources, or missed the Crack post?
Apparently it is widely distributed by Sun's various user groups, and
ther LICENCE document is written to allow (encourage?) that sort of
thing... I'm also working on improving the media's awareness right
now...
>Apologies Alec - the program is great & I love the R.E.M. references,
>but giving unrestricted public access to this program was plain *dumb*.
>I simply can't see any good reason for it. Too late now, the damage
>is already done - but next time why not *ask* us if we want to be
>saved, and consider if there might be a better way to do it. Please!
I doubt that I could answer the question in a way that would change your
opinions, but I would like to point out that:-
1) there have been password crackers about before mine eg: COPS, the
'KillerCracker', etc, a few of which (including the latter) are wrapped
up as _CRACKING_ tools, with a certain cachet for owning and passing
around. Crack at least is honest in it's objectives.
2) they really are quite trivial to write, just hard to write WELL -
the same goes for editors, games, any software
3) I did agonise over it for weeks before releasing a fcrypt() version,
and it wass weight of public opinion that made me choose to do it,
I'm not some irresponsible kid...
and all I can suggest is that, if you want a response, I will undertake
to post your letter in the following newsgroups: alt.security,
comp.sources.d, comp.unix.admin - and see how much of public opinion
backs you. I do not wish to sound smug, but I think the weight of
support behind me will swamp any criticism.
yours, alec
::::::::::::::::::::::::
From: Frank....@de.sni.mchp.sniap
Subject: Re: Crack - why not *ask* *us* first?
To: ke...@com.sterling.imd (Kent Landfield)
Date: Mon, 27 Apr 92 14:03:17 MET
Cc: aem (alec muffet)
Kent,
Thanks for the quick response. In answer to some of your points...
| Programs like crack as well as other DES based tools have been available
| on the Internet for years now. This was discussed heavily in response
| to the Morris worm and with the rash of attempts and wanna-bees that
| followed. The problem was trying to get these tools into the hands of the
| good guys. The bad guys knew where they were and when the sources were
| updated. Admins in the remote areas of the net (like Nebraska :-)) need to be
| able to have access to these tools without having to make a career of searching
| archives worldwide.
a) I don't think "discussion" is enough. I think it might have been
voted on, at least. My concern as I explained to Alec (cc'ed to you)
is not just that I think public access to Crack is silly (I do) but that it
should have been decided by those whom it affects.
b) Neither the bad guys nor the good guys had access to a program
as fast and as versatile as this before. And don't you think you
reached a new audience...how about all those college USENET sites.
c) Not everyone gets "news". Many people who *have* access to "news" don't
know it, or don't care, or haven't time to read it. I myself just recently
regained access (to read, at least:-)) after an absence of about 3 years.
| Yes, but the false sense of security they had before knowing of these
| tools made their systems even less secure than they are now. Now, at least,
| they have the ability to do something about it. The ability to do their
| job better.
If they noticed the post. If they realised its importance. If they
had time to read it. If it ported easily to their machine. If they had
the resources to run it...
And why wouldn't npasswd, or alecpasswd have done the trick? So it leaves
some holes, but it still raises awareness, which is what you're saying.
> > b) The possibility that any idiot could pick up this
> > program and merrily attempt to crack my system. We
> > must assume that at least some of the "bad guys" are
> > incapable of writing such a program.
> Yes, but if you were running it as well you would not care... :-) They were
> doing this before and the admins had no way on knowing how secure their front
> line defense was... Now they do.
Shouldn't you care? Maybe someone has a better dictionary than you,
or cleverer rules.
| Systems without International access already have a level of security built
| in... :-) Crack is and has been available on comp.sources.misc archive
| sites and it is listed each volume in the Index postings to c.s.misc.
| It is available via email from many of those archive sites. More and more
| references to it and its availability are appearing in security related
| materials.
There *are* systems with International access without USENET access. There
are people who don't read USENET, because they haven't time. Don't laugh,
but I know a large number of computer professionals who never *heard*
of USENET.
| This package helped to put another bolt on the doors and it focused the
| community to begin seriously considering a solution to the problems.
Meanwhile, what would say is happening with Crack?...
--------------------------------------------------------------------------
Frank O'Dwyer Disclaimer:
Siemens-Nixdorf AG I will deny everything
::::::::::::::::::::::::
To: "Frank.ODwyer" <Frank....@de.sni.mchp.sniap>
Cc: ke...@com.sterling.imd (Kent Landfield), aem (alec muffet)
Subject: Re: Crack - why not *ask* *us* first?
Date: Tue, 28 Apr 92 11:16:14 +0100
From: aem
>Kent,
>a) I don't think "discussion" is enough. I think it might have been
>voted on, at least. My concern as I explained to Alec (cc'ed to you)
>is not just that I think public access to Crack is silly (I do) but that it
>should have been decided by those whom it affects.
It was - it's just that you missed it. Can't poll everybody in the
world. Shall I send you copies of the relevant email ? I've lost the
NEWS articles though...
>b) Neither the bad guys nor the good guys had access to a program
>as fast and as versatile as this before. And don't you think you
>reached a new audience...how about all those college USENET sites.
Actually, COPS with Baldwin fcrypt() mark II was available from (I think
it was) UColorado, for months previously. I used Archie to find it. So
could anybody else. Once I had found it (after I was informed of it's
existence via email) I decided "What the hell..."
>c) Not everyone gets "news". Many people who *have* access to "news" don't
>know it, or don't care, or haven't time to read it. I myself just recently
>regained access (to read, at least:-)) after an absence of about 3 years.
True, but a lot of magazines have reported it (including one in New
Zealand and 1 in Germany...). You'll never reach everybody (again), but
(again), is the way it goes...
>| Yes, but the false sense of security they had before knowing of these
>| tools made their systems even less secure than they are now. Now, at least,
>| they have the ability to do something about it. The ability to do their
>| job better.
>If they noticed the post. If they realised its importance. If they
>had time to read it. If it ported easily to their machine. If they had
>the resources to run it...
Can't do too much about "noticing" - same thing goes if they don't
"notice" that their machine was set up with user "uucp" passwd "uucp"...
- as for porting it, I worked my arse off for precisely that reason - it
runs on Crays, it runs on my diddy little Amiga A500 at home... as for
the resource usage, ditto...
>And why wouldn't npasswd, or alecpasswd have done the trick? So it leaves
>some holes, but it still raises awareness, which is what you're saying.
Because a lot of people have ignored npasswd in the past - there wasn't
a need for using it, as far as most people were concerened. They didn't
understand the problem. Now, a lot more people do. Perhaps, this
sounds self satisfied, clever or smug, but it's not meant to be.
Car seat belts were by and large ignored in the UK until a reason was
provided for wearing them (legislation and hefty fines if caught by
police) - now people DO wear them, and most people agree with their use.
They didn't beforehand.
Ditto Crack. It's prime purpose (as other people than I have pointed
out) is not a security tool, but an educational tool. It's use in
securing systems is secondary to this. I didn't quite realise this at
first, but it fits public reaction.
>> Yes, but if you were running it as well you would not care... :-)
>> They were
>> doing this before and the admins had no way on knowing how secure
>> their front line defense was... Now they do.
>Shouldn't you care? Maybe someone has a better dictionary than you,
>or cleverer rules.
Yeah. Or more CPU, or extra hardware. Whoopee. Like any cracking
problem, you can break into ANY system if you expend enough resources.
>Meanwhile, what would say is happening with Crack?...
I'm taking a break and writing a NEWS batching and control system in
Perl, as well as a multi user game. Also coffee. I'm drinking lots of
coffee; and I'm trying to find a job... 8-)
- alec
::::::::::::::::::::::::
From: Frank....@de.sni.mchp.sniap
Subject: Re: Crack - why not *ask* *us* first?
To: aem
Date: Mon, 27 Apr 92 13:16:28 MET
Cc: ke...@com.sterling.imd.sparky (Moderator comp.sources.misc)
Alec,
Firstly, thanks for the quick response. I think basically we are
in agreement about the seriousness of the problem which Crack
attempts to address, but have differing views about how to go about it.
I'd hope we're not going to get into an e-mail slanging match over this,
but here are some responses to the points you raised...
| >The whole idea of Crack, if I have understood correctly, is
| >to prevent users using easily guessable passwords.
| Wrong. That's a job for npasswd or passwd+.
Yes, but the ultimate aim is to stop people (or systems, if we want
to get pedantic about it) using silly passwords, isn't it?
| Cracks raison d'etre is to scare a) hell out of the Unix world and get
| something done about the problem, and in the meantime b) help alert a
| system manager to users on his/her system who choose bad passwords - or
| system supplied passwords which have been forgotten about (ingres/ingres
| ???). Even NPasswd can do nothing if there is no user to change the
| password.
I agree with you. I just think there are better ways. Really, I don't
doubt your motives at all. My problem is mainly
with the way this was handled. I think it could have at least been voted
on over USENET by the people who are most affected - the godforsaken sysadmins
and those unfortunates who have to use their systems. Personally, as I
have said, I think it's silly to have unrestricted access to this
particular program. But that's just my opinion and I'm willing to bow
to the views of the majority. What bothers me is being presented with
a fait accompli, and being told (in a FAQ yet) "you decide". Like I said,
it's been decided, but by whom?
| Incidentally, the flexibility of Crack v4.? has inspired Clyde Hoover
| and his npasswd team to new heights of programming achievement... all
| will be revealed in npasswd 2.0 8-)
Glad to hear it. Hope this means that there will be a common dictionary
format.
| I doubt that I could answer the question in a way that would change your
| opinions, but I would like to point out that:-
Whoa! I'm not dogmatic about this, I hope. My first reaction on seeing
the Crack sources was to agree with most of what you were saying about it.
It was only upon reflection that I thought it was badly handled, so I said
so.
| 1) there have been password crackers about before mine eg: COPS, the
| 'KillerCracker', etc, a few of which (including the latter) are wrapped
| up as _CRACKING_ tools, with a certain cachet for owning and passing
| around. Crack at least is honest in it's objectives.
This all sounds very reasonable. Unfortunately it also sounds a
little like the arguments used by the pro-gun lobby in a certain
very large country :-)
| 2) they really are quite trivial to write, just hard to write WELL -
| the same goes for editors, games, any software
Yes, but you've written a good one now and any idiot can get it. You have
to admit that somebody somewhere is using Crack to break systems, who
simply wouldn't have had the technology before. Maybe the idea wouldn't
have occurred to him/her. I consider myself an above average
'C' programmmer & I would not relish the task of doing what you did.
And this is from someone whose job is *security related* - and who has
implemented both RSA and DES in his time. You've saved potential crackers
months of work. You know it. I know it. They know it.
| 3) I did agonise over it for weeks before releasing a fcrypt() version,
| and it wass weight of public opinion that made me choose to do it,
| I'm not some irresponsible kid...
*You* may not be irresponsible, but I'd say there are several pimple-faced
geeks whooping it up all over the Internet right now.
| and all I can suggest is that, if you want a response, I will undertake
| to post your letter in the following newsgroups: alt.security,
| comp.sources.d, comp.unix.admin - and see how much of public opinion
| backs you. I do not wish to sound smug, but I think the weight of
| support behind me will swamp any criticism.
If you like, I think anything that prompts dicussion on this topic
would be constructive. But please remember that the main point I am
making is not a technical one - just that it would be polite to ask
people *before* and not after the fact. I believe that what you're
doing has important implications for people who have no idea that you're
doing it. The decision should not be taken by a small clique of people.
--------------------------------------------------------------------------
Frank O'Dwyer Disclaimer:
Siemens-Nixdorf AG I will deny everything
::::::::::::::::::::::::
To: "Frank.ODwyer" <Frank....@de.sni.mchp.sniap>
Cc: aem, ke...@com.sterling.imd.sparky (Moderator comp.sources.misc)
Subject: Re: Crack - why not *ask* *us* first?
Date: Thu, 30 Apr 92 11:02:04 +0100
>Alec,
>Firstly, thanks for the quick response.
S'aright...
>I think basically we are
>in agreement about the seriousness of the problem which Crack
>attempts to address, but have differing views about how to go about it.
>I'd hope we're not going to get into an e-mail slanging match over this,
>but here are some responses to the points you raised...
Okay. I will concur, we are (all three) reasonable men with low blood
pressure... 8-)
>| >The whole idea of Crack, if I have understood correctly, is
>| >to prevent users using easily guessable passwords.
>| Wrong. That's a job for npasswd or passwd+.
>Yes, but the ultimate aim is to stop people (or systems, if we want
>to get pedantic about it) using silly passwords, isn't it?
Partly. The other part is to make the point that there is a need to
stop people from choosing crackable passwords.
>| Cracks raison d'etre is to scare a) hell out of the Unix world and get
>| something done about the problem, and in the meantime b) help alert a
>| system manager to users on his/her system who choose bad passwords - or
>| system supplied passwords which have been forgotten about (ingres/ingres
>| ???). Even NPasswd can do nothing if there is no user to change the
>| password.
>I agree with you. I just think there are better ways. Really, I don't
>doubt your motives at all. My problem is mainly
>with the way this was handled. I think it could have at least been voted
>on over USENET by the people who are most affected - the godforsaken sysadmins
>and those unfortunates who have to use their systems.
I could not poll everybody. However, I clearly and concisely stated my
intentions last year to post Crack/fcrypt() in a posting to
alt.security. No body complained, and several people responded with
"Good on yer!" or similar. That's the fairest I think I could have
been. You only get to launch a piece of software once.
>Personally, as I
>have said, I think it's silly to have unrestricted access to this
>particular program. But that's just my opinion and I'm willing to bow
>to the views of the majority. What bothers me is being presented with
>a fait accompli, and being told (in a FAQ yet) "you decide". Like I said,
>it's been decided, but by whom?
Erm, in a nutshell, it was me. Yes. However, I was of your opinion two
years ago. Noting the increasing interconnectivity of the world, and
the ease with which software can be found in archives, I am now
otherwise. For me, it's a case of moving with the times.
>| I doubt that I could answer the question in a way that would change your
>| opinions, but I would like to point out that:-
>Whoa! I'm not dogmatic about this, I hope. My first reaction on seeing
>the Crack sources was to agree with most of what you were saying about it.
>It was only upon reflection that I thought it was badly handled, so I said
>so.
Neither of us will be able to decide that to everybodys liking.
>| 1) there have been password crackers about before mine eg: COPS, the
>| 'KillerCracker', etc, a few of which (including the latter) are wrapped
>| up as _CRACKING_ tools, with a certain cachet for owning and passing
>| around. Crack at least is honest in it's objectives.
>This all sounds very reasonable. Unfortunately it also sounds a
>little like the arguments used by the pro-gun lobby in a certain
>very large country :-)
Perhaps, but I think the analogy is incomplete. It is within every
sysman's (or manufacturers) mien to secure their system to a point at
which Crack is useless. The same cannot be said of guns.
>| 2) they really are quite trivial to write, just hard to write WELL -
>| the same goes for editors, games, any software
>Yes, but you've written a good one now and any idiot can get it. You have
>to admit that somebody somewhere is using Crack to break systems, who
>simply wouldn't have had the technology before. Maybe the idea wouldn't
>have occurred to him/her. I consider myself an above average
>'C' programmmer & I would not relish the task of doing what you did.
Erm, well, I can't really answer this without doing myself down a bit,
but what the hell. All it takes is Unix, spare programming time spread
over about 10 months, good connections on the network, and about a dozen
jars of Nescafe.
I didn't understand the DES algorithm for the first 5 months, I was just
treating the code as a black box, but perhaps it was because I was
looking at the program structure rather than the algorithm that I
managed to speed it up so much (~300%). That plus a little common sense
did the trick.
>And this is from someone whose job is *security related* - and who has
>implemented both RSA and DES in his time. You've saved potential crackers
>months of work. You know it. I know it. They know it.
They wouldn't have bothered doing the work themselves. They would just
ask around friends until they had a copy of KillerCracker, fcrypt() Mk I
or II. Until then, they would make do with COPS and the standard
crypt(). I know this to be true. I used to on my physics dept Suns at
UCL. 8-)
>| 3) I did agonise over it for weeks before releasing a fcrypt() version,
>| and it wass weight of public opinion that made me choose to do it,
>| I'm not some irresponsible kid...
>*You* may not be irresponsible, but I'd say there are several pimple-faced
>geeks whooping it up all over the Internet right now.
There will always be children...
>| and all I can suggest is that, if you want a response, I will undertake
>| to post your letter in the following newsgroups: alt.security,
>| comp.sources.d, comp.unix.admin - and see how much of public opinion
>| backs you. I do not wish to sound smug, but I think the weight of
>| support behind me will swamp any criticism.
>If you like, I think anything that prompts dicussion on this topic
>would be constructive. But please remember that the main point I am
>making is not a technical one - just that it would be polite to ask
>people *before* and not after the fact. I believe that what you're
>doing
...(what I've done)...
>has important implications for people who have no idea that you're
>doing it. The decision should not be taken by a small clique of people.
How about 1 person ? Nah... 10 ? 100 ? 1000 ? 10000 ? 100000 ? ...
As for bringing the discussion onto news, I shall, then.
alec.
--
Alec David Edward Muffett, Unix Programmer and Unemployed Coffee Drinker
a...@aber.ac.uk a...@uk.ac.aber aem%ab...@ukacrl.bitnet mcsun!uknet!aber!aem
- send (cryptographic) comp.sources.misc material to: a...@aber.ac.uk -
"I didn't invent the Unix Password Security problem. I just optimised it."